If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

What can I do to stop

I've got a Microsoft Infastructure class this semester and need some help with security. We have established a domain of about 25 computers with a variaty of OS(XP pro,2000 pro,NT workstation,NT 4.0,2000 server,2000 advanced and a fedora server and a couple of Fedora workstations) Each person in the class has a diffrent OS and we have learned how to get them to all work together. But now that we have most of the bugs worked out the instructer has a new twist, One member of my class we have no idea who, has been instructed to hack us at will and do as much damage as he can. I am running a 2000 advanced server as a Domain controller with WINS and DNS on it. Last week he pretty much had his way with a couple of peoples machines and I don't want to be next, can anyone give me any ideas? Please remember I'm still new at this. I'm smart enough to know that I know nothing.

Search google and this site for security related terms... that's where you should start... Though I may be inclined to help you since minus the WINS server, that's exactly what my desktop machine is running... don't ask why.

Can you d/l and install stuff, or are you stuck with configuring what you have? I'd assume you can get updates, get all them of course.

If you can, d/l like zone alarm first, then research. Wait for a few more posts, there's alot o' experienced people on here. They'll hook you up with all sorts of stuff.

Do you have to keep all your services operational? if not you can shut off some of them. Though not all since you've made the leap to domain controller already. If someone knows how to shut all that **** off after actually becoming domain controller you'd be helping me as well as him

A funny thought just crossed my mind... depending on how mutch he already knows about your network, like your IP address and such (like that can't be changed anyways, screw network policy, DHCP is even better), I, Myself would play with a honeypot. Just to keep him busy for a while. I'd assume he won't spend all his free time trying to hack your box. though you never know. If you could work a honeypot, you could log what he's doing, hopefully buying you at least one class period to send us the logs .. HAHA that would be great.

Though you said you know nothing, I'll see what you have to say on the subject. Wait for a dozen or so more replies to get the whole think tank on board if their interested. You'll need to keep me interested too. See if you can do something about finding the identity of the dude and feeding us some profile info. it may come to something, who knows.

1. Do you know how the other two machines were attacked
2. Will he/she have physical access to your machine (when I build a "secure box" I always use removable hard drives, lock the CD and floppy to normal users, boot from HDD first etc).
3. Which OSes were attacked first?
4. I would suggest some security tools, but I am not sure if you are allowed to load them. I guess the EULA is OK as you are using them "privately", albeit in an educational environment? As UpperCell has already pointed out it is important to us to know if you can do this, and any other rules of engagement

Good luck

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

I noticed the lack of mention of a firewall and/or an IDS. Are you not allowed to install these? You might want to look at the NSA's Security Guides to see if they may help you lock down your servers better. And perhaps check the tutorials I wrote on Wargames as they may give you a better idea as to how the attacker got in. I suspect that there is no physical access immediately but rather remote access.

Lastly, the most common way that I get into my students machines is due to really poor password policy (e.g., "password", "root", "course#", their email password -- which they access over the clear). You might want to ensure you put in some strong password policies on important machines in particular.

The first two machines he got were another 2000 advanced server and one of the 98 machine. I think he's just picking at random. The only access he is allowed is remote only so that helps. I can download anything but a firewall and all my updates are downloaded so there I'm okay. I have GFI LANguard Network Security Scanner downloaded and I'm going to use it tonight to try and find all the holes in the network. But I really want to beat this guy since the instructer is so sure we will all fail. Thanks for your help.

You want WinSonar 2003.................if it runs on your OS it should detect a network connection, if not open an internet connection to "liven it up"............say "yes" to the prompt to block unknown background processes

A word about social engineering............it is NOT one of your fellow students...........hell, they know as much, or as little as you?.........it is your instructor who is the "bad guy"

Find out what you can about his ID, logon etc.

Cheers

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

I can download anything but a firewall and all my updates are downloaded so there I'm okay.

Actually, you know who you should talk with: Pooh Tzu Sun. He has a Windows box locked down without Firewall or AV. And I've checked it. It's an impressive setup. Send him a quick note on some advice on how to lock your boxes down to prevent remote access but still allowing necessary services. His setup was quite impressive.

The real prize would be the domain server and since you are using 98 machines and possibly samba the DC must answer LM authentication requests, if your 'attacker' is on the LAN with you he may as well go for the DC by sniffing LM hashes and then he will 0wn j00 all. But seriously just some initial precautions I would take would be to tighten your file permissions, disallow anon NB stuff(do you have to have it?), enable auditing,check your local sec policy,remove all un-needed/required services,if you run IIS run IIS lockdown and remove all your extensions, remove SYSTEM execute privileges on commonly exploited binaries (cmd.exe,tftp,etc), change your admin account,enforce strong password policy, then run some tools like baseline security and nessus against yourself (Perhaps a trial/edu version of E-eye Retina?) and see what turns up, then rinse...repeat....
Have fun!

-Maestr0

\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier